This document describes the steps used to translate (NAT) the VPN
traffic from one end that travel over a LAN-to-LAN (L2L) IPsec tunnel between
two security appliances and also PAT the Internet traffic. Each security
appliance has a private protected network behind it.

The network 192.168.1.0 in PIX-A is translated to 172.18.1.0 network
and send the VPN traffic through the IPsec tunnel.

In L2L VPN, you can initiate the IPsec tunnel from either side of
tunnel end points. In this scenario, PIX-A of inside network (192.168.1.0) is
translated to 172.18.1.0 network using Policy NAT for VPN traffic. Because of
this translation, the source network of the interesting traffic 172.18.1.0 is
not reachable from PIX-B. If you try to initiate the tunnel from the PIX-B, the
destination address of the VPN interesting traffic 172.18.1.0 , for example,
natted network address of PIX-A, is not reachable. So you must initiate the VPN
tunnel only from the PIX-A.

The information in this document is based on these software and
hardware versions:

Cisco PIX 500 Series Security Appliance runs with version 7.x and
later

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.